Is anyone here familiar with Checkpoint? So far, from what I’m learning from Pluralsight it supports a vast amount of fortune 100 companies? But I have never heard about them until I am at my new place. I always thought Juniper/Cisco were dominating this field at the enterprise level.
I am on the website browsing through their products and trying to see the different appliances/hardware but it getting a bit confused. They have threat protection, firewalls, security management? What? How do they differ? I’m trying to find a good place to learn more about their products but can’t seem to find a place that simplifies it down.
Figured I asked anyone who is experienced in their products to give me some insights and direction.
After a large project implementing a Check Point NGFW perimeter replacing a handful of CiscoASAs & IronPort appliances… and now having operated and maintained this environment for ~3 years, all I can do is warn people.
Support is horrendous
The product itself is a mash-up of several different purchases and old frameworks under the hood.
Thick client, Windows only for management. We’ve had 3 occasions where policy installation corrupted and took down HA clusters. Support response each time is something close to “Well that’s not supposed to happen”.
Upgrades are painful (usually having to uninstall previous patches and hotfixes just to move up a software version)
Several instances of IPS and AV signatures being pushed out that are woefully unready for production traffic. I know all vendors are guilty of this, but just as an example, two weeks ago they released an AV package with a botched signature that prevented all traffic to any URL that started with the letter “a”. As you can imagine, so much pain. All Google MX URLs start with “amx1, amx2, amx3…”. Many API for various services start with api.domain. To make it better, it took checkpoint 6 hours to publish the fix, and the fix itself came from servers that started with the letter “a”… so the fix was to disable threat protection until the fix was deployed, downloaded and installed.
Policy installation impacts traffic flow. If you have an active environment where you need to be working on FW/AV/IPS/VPN Policies mid-day, this can be an major operational issue.
Several other production impacting events that I can elaborate on if anyone is curious
Fortinet and Palo Alto are high on my list for a deeper PoC during our next refresh.
They’ve been around forever, one of the original firewall companies, all software-based, although they do have their own hardware line now its all basically just qualified/certified/consistent platform to run their software.
Cisco and Palo Alto have been eating their lunch for many years, but they have a heap of big customers that will never switch.
Support has been their biggest issue for a very long time, most customers get thoroughly screwed on support and upgrades.
While I do really like the GUI and the clear layout - they are great for juniors netengs to get a visual on how the policy is laid out, that’s basically the only positive thing I can say about them.
The sheer amount of bugs and idiosyncrasies make them very hard to recommend in an enterprise environment. Commissioning them is often a hit and miss affair, and just general stability makes me nervous in a production. Clustering can be fraught with issues (ok maybe having a HA cluster running over two sites isn’t the best idea, still).
In short I would advise to avoid if at all possible in an enterprise environment.
We ran a Check Point proof of concept against Cisco for about 4-5 months and didn’t run into any show stopping issues. Biggest issue I recall is inexperienced admins pushing policy that broke things, then trying to figure out who did what. We ran 90% of our user traffic through the Check Point and had a great experience. If you would want more info I’d be glad to elaborate, we actually have a shipment coming in today.
Checkpoint is a really good firewall company. I have been using them for a few years. They are quite popular in the Perimeter and Endpoint security space, just not huge like Cisco. With the malware issues of the current internet, the choice of a security partner is very important. I choose to work with Checkpoint.
Thick client, Windows only for management. We’ve had 3 occasions where policy installation corrupted and took down HA clusters. Support response each time is something close to “Well that’s not supposed to happen”.
I did my first Check Point install last fall. It took me a while to figure out there a different application for policy configurations and log viewing. Documentation was very iffey. I broke access several times with what should have been innocuous changes. Overall I was very disappointed for a company that’s been doing this for a while.
I haven’t had major issues with support. but we really only call them for hardware issues or incredibly weird ones we can’t figure out on our own. I’ve found them quite helpful, but i usually end up working closely with R&D or CFG.
I agree about the mashup. That has been a huge argument of mine and they have gotten much, much better with R80.10. A lot of my big sticking points were addressed. I hate the way it was fragmented in R77 and earlier.
Were the corruptions on policies with a lot of rules or objects? I’m curious because we haven’t seen this with policies of 1800+ rules. It’s possible our over-engineering is what prevented this.
For the policy installs affecting traffic flow, was this on a box under a heavy load? I’m not trying to fanboy here, I’m genuinely curious. We’ve never seen that, but it never hurts to understand what others have seen.
As someone who supported Check Point from R55 to GAIA, this is pretty spot on. However, after Check Point I had to manage a Fortinet 800c, the Fortinet made me miss Check Point.
This is just sad. We replaced our CPs three years ago for these same problems.
Back then their sales engineers, account managers, and even their fanboys on the Internet were saying how CP was “getting better about those things”…three years later, the same problems continue. That sucks.
I am put in this position. We currently smart-1 appliance. And 4800 appliance with VPN licenses. Have any of you got these in your environment and how is their VPN?
Policy installs affecting traffic – The first time I saw this the CP I was working on did have several features turned on (e.g. remote access VPN, VPN tunnels, ~100 FW rules, NAT rules, ClusterXL, and SecureXL). This was on R65 on an open server. The second time I saw this was on R77 on a CP appliance with ~500 rules, NAT rules, URL inspection, application inspection, some IPS, SecureXL, and ClusterXL. This box had about 15 subinterfaces/DMZs, but traffic was still below 20%. We slimmed down the box to just have two in/out interfaces and with just FW and IPS, and the problems went away
Corruptions on policies – I saw this on R65 on an open server. I can’t say I saw this on R77.
Their site to site VPN isn’t the worst, but their remote access is brutal compared to Cisco, Juniper, others. 5 different check point VPN clients, all different functionality, licensing, ect. It’s a nightmare.
Actually, we have a remote access license. May need troubleshooting in the future. Is their forum the best bet for troubleshooting and looking up known issues?